Secure device onboarding

Ubuntu Core devices are onboarded to their owner's IoT app store in a secure manner. Secure onboarding prevents unauthorised access to private software and services. It also establishes a secure communication link between devices and their cloud backend.

Secure device onboarding is a four stage process that starts with a request for serial keys, proceeds with device initiation from the cloud, and ends with device authentication and authorisation. The first two stages are handled by the serial vault which is a service that issues credential to devices.

Secure device onboarding four stage process Illustration

Device initialisation

The secure onboarding process starts at first boot. When turned on for the first time, an Ubuntu Core device extracts its private key, its serial number, and its owner’s ID from metadata stored in its model assertion. Based on this data, the device will send a request for a serial assertion to its vault, which is hosted either by Canonical or on premise. The vault service processes the request. Had the device’s public key been stored in the vault, a serial assertion is issued as response to the request. The serial assertion issued by the serial vault is then stored on the device.

Authentication and authorisation

Both the serial and the model assertions will be used by devices to access your app store. Devices will use these secure documents to initiate a handshake with your app store. The app store authenticates the keys and authorises the device for a fixed period of time.